Time to Raise Your Shield: The New EU-U.S. Framework Is Here

After nine months of intense negotiations and uncertainty, and despite ongoing criticisms from powerful data protection regulators, the new EU-U.S. Privacy Shield program went into effect this week as the U.S. Department of Commerce began accepting applications online. Some companies that are self-certifying their compliance have already submitted their documentation and many more are expected to do so in the coming days and weeks as they seek shelter under the replacement for the long-standing EU-U.S. Safe Harbor arrangement that was invalidated by the European Court of Justice last year.

Companies can now “sign up” for the Privacy Shield list, but they should not expect a rubber stamp from the Commerce Department just because they have self-certified. To ensure that their applications are approved, companies should take the following steps:

Confirm that they are eligible to participate—not all organizations are. Only companies subject to the jurisdiction of the FTC or the DOT may participate at this time

Develop a Privacy Shield-compliant privacy policy statement

Identify their independent recourse mechanism—under the new framework, self-certifying organizations must provide an independent recourse mechanism available to investigate unresolved complaints at no cost to the individual

Ensure that they have compliance verification mechanisms in place

Designate contacts within their organizations to serve as liaisons regarding the Privacy Shield

The Privacy Shield will impose stronger obligations on U.S. companies to protect the personal data of Europeans and require stronger monitoring and enforcement to be carried out by the U.S. Department of Commerce and the Federal Trade Commission. The deal also includes written assurances from the U.S. that the access that law enforcement and intelligence authorities have to transferred data will be subject to clear limitations, safeguards and oversight mechanisms that will prevent indiscriminate mass surveillance of European citizens’ data.

EU and U.S. officials agreed the new rules would begin on July 12, but it wasn’t always clear that the rules would pass muster in the EU. As we wrote about in this space, the typically influential EU Article 29 Working Party (“WP29”)—which is a collective of EU data protection authorities—announced in April that it did not support the EU-U.S. Privacy Shield as currently drafted, saying it didn’t go far enough to protect citizens’ data or to address their concerns over U.S. intelligence officials’ bulk data collection practices. But the WP29’s opinion was not binding and the member states ultimately disagreed.

Companies should not get too comfortable with the new system, however. The same European privacy advocates that successfully challenged the Safe Harbor have vowed to challenge the new Privacy Shield as well.